Posted
by
Soulskill
on Wednesday November 14, 2012 @03:35PM
from the new-york-must-have-a-lot-of-these dept.

DavidGilbert99 writes "With a £400 transmitter, a laptop and a little knowledge you could bring down an entire city's high-speed 4G network. This information comes from research carried out in the U.S. into the possibility of using LTE networks as the basis for a next-generation emergency response communications system. Jeff Reed, director of the wireless research group at Virginia Tech, along with research assistant Marc Lichtman, described the vulnerabilities to the National Telecommunications and Information Administration, which advises the White House on telecom and information policy. 'If LTE technology is to be used for the air interface of the public safety network, then we should consider the types of jamming attacks that could occur five or ten years from now (PDF). It is very possible for radio jamming to accompany a terrorist attack, for the purpose of preventing communications and increasing destruction,' Reed said."

As such, we have decided to retain the mandatory backdoors but leave them open to these minor vulnerabilities. The occasional permanent loss of an antenna, your Facebook account's integrity, or that one guy in Customer Service who decides to blow a whistle on us does not preclude your required payment of the 2012 Nation's Largest 4G Network Improvements Fee, or the upcoming 2013 Nation's Largest 4G Network Improvements Fee (which we hereby announce in this sentence, as double the 2012 version in all cases), even though both would be entirely too small to buy such high-value targets and high-class lays in such high volume.

Hope in a taxi or bus, drive around, turn off transmitter, walk some way, hope on another bus, turn it on again, turn it off again. Basically keep moving, make the movement sufficiently random, any you won't get caught. OK, a car battery is a bit heavy, but it's not that heavy that you can't carry it around on your lap.

Regarding the "oh noz terrorists", not everything has to be linked to terrorists, isn't it more likely that in the event of a "terrorist" attack, the system would be brought down by people just trying to call the emergency number or friends and family? And anyway, haven't I read about various authorities around the world wanting a switch to turn off the phone networks in the event of a terrorist attack?

So when the "terrorists" do it, it's bad, but when the authorities do it, it's just fine...

You could probably also get away with playing little tricks with duty-cycle or directional antennas, especially if "you" consists of more than one transmitter with some overlap in range.

Pure data links, with error correction, retries, and so on, might only be slowed by intermittent jamming; but somebody attempting to run a time-sensitive application(like, oh, a simulation of a classic two-way radio) could have a much harder time of it even if only intermittently jammed...
Tracking down a jamm

There are special issue government sim cards and phone numbers that get top priority and skip the cell queue. So even if the tower is "jammed" by people calling, those phones get priority and still get through. So important communication still happens.

There are special issue government sim cards and phone numbers that get top priority and skip the cell queue. So even if the tower is "jammed" by people calling, those phones get priority and still get through. So important communication still happens.

Likewise, for emergency calls from consumer phones: Dialing 911 (or the local equivalent) skips all queues, and will forcibly drop other (non-emergency) calls if it must.

Imagine at 9/11, the terrorists would have put 100 transmitters at different places in New York (to be had for just £40.000, a bit more than $63.000, certainly affordable for a larger terror organization), which started jamming at the time of the attack. How long do you think it takes to find the 100 jamming devices, if you don't have an idea how many there are, and you can't communicate about it? And remember, until every single of them has been found, communications doesn't work.

Radio frequency direction finding equipment is not new, nor is it's use in a military capacity. Ask someone ex-Army who used to have a 98 or 33 as the first two digits of their MOS...(former 33T speaking)

Upthread, it was posited that if you brought down LTE, you might bring down public safety response as well. Many units use freq-hopping devices that are somewhat immune to specific (or many) channel jamming. Although there is a bit of this in LTE, the attacks purported are more infrastructure attacks than broad-spectra/channel-specific attacks. The infrastructure melts, metaphorically speaking.

With FSK radios, attacking the radio is useless, unless you attack all of the F(reqs) used by the FSK radios. You c

Ahh...I understand now...you were criticizing the proposed attack, rather than how to find the transmitters that would be required to carry it out.

You could take out a very complex freq-hopping transmission tower by doing some simple multiplexed transmission with a directional antenna (several per tower, as someone pointed out down thread)...don't have to time-sync if you're not trying to establish communications, just need a strong enough signal.

If you are a terrorist, it would not matter. Even if they were all 100 found within 1 hour and deactivated, the real result would be delivered by the media. Can you imagine the headlines if such a thing would happen?

13 guys with box cutters saw to it that we can not take a nail-clipper onto a plane. The result of their action is that laws have been created that limit everybodyâ(TM)s rights all over the world.

The fear the media would create is so much more then what the terrerists could do themselves. Fear nothing but fear itself and that is what will be crated: fear.

If I were a terrorist intent on disrupting the network, I'd place directional antennas on rooftops and pointed them at the cell towers. They wouldn't have to jam every cell phone, just the cell towers' reception. That should take a lot longer to trace. It would come down to how leaky the jammers' antennae are and how sensitive the detection equipment is.

Even so, the jamming does not have to last long to cause big problems. Just half an hour coordinated with a major event would make it tough on the first

But also given how the landscape shapes radio transmissions, it would be a good exercise to find one, but for every unit overlapping it would become much more difficult to isolate and locate, and god forbid anyone get creative with it.

Once these guys get the attention of the network operator, they'll be found quickly.

I am not so sure about that. I have a lot of experience in ham radio foxhunting from both the hunting and hiding aspect. For all but the most difficult hunts, the hider has specific limitations which must be followed in aspects like location and timing. Even with those restrictions, on several occasions I and others were able to hide transmitters which, while readily receivable, were all but impossible to find by the vars

What's the point here? You can do the same thing with all the proprietary public safety network gear various vendors are peddling - they are mostly hilariously insecure. Or if you have a portable generator, just flood the public safety band with interference. It accomplishes the same thing.

The article claims older 3G and 2G networks would still work if LTE were jammed but that's completely false. There are a ton of ways to jam those by using fake femtocell pilot signals or otherwise interfering with synchronization signals.

In fact the MIMO technology of LTE could make it slightly harder to jam if the base stations are properly filtering stray signals. Use car-mounted MIMO for the user-side and you would get something way better than any of the existing systems at resisting interference.

do you see people walking around with wimax phones? of course it's just referring to LTE.

(WiMax isn't 4G either. At least now. Anyhow...)What's on the streets now is already outdated from a theoretical point of view, and does not preclude vulnerabilities from being found in what isn't on the streets - what will be there in the future matters even more, and is, I would think, even more of interest to researchers and nerds.

And Moscow already has true 4G, several Scandinavian cities are about to get it, and it may come the US too one day. (And I predict Verizon and T-Mobile first, the rest late

With a Â£400 transmitter, a laptop and a little knowledge you could bring down an entire city's high-speed 4G network.

came from but it is 100% false (unless you are talking about a very, very small "city".

This "attack" is just broadcasting noise and messing with communication protocols. So the range is limited to the coverage area of the transmitter. Including dead zones where there is too much concrete and steel for the transmitter to get through.

So you should see the same pattern for blocking as you do for regular access. With a similar requirement for blocking as for coverage.

And don't forget antenna location. As a general rule, higher is better. If you're trying to jam an entire city from a car in the street, you'd have to radiate so much power that your alternator would whine and your brain would become... warm.:)

Be better from the top of tall building, but now you can easily be located and dealt with. Unless you're spiderman and can leap from one building to the next, that is. Or, you don't think anyone

I think most large emergency response teams now use an encrypted radio w/ hopsets configured. Like the military gear, it jumps channels very rapidly. It makes the signal very difficult to jam. You would have to block out a wide swath of frequency to do so effectively. I know that major cities in California started making the switch back in 2005. I would expect any major city in the US to have already switched by now.

The article clearly states that the issue with 4G is that it's extremely sensitive to synchronization of transmitter / receiver. It doesn't require much power to disrupt this. Older networks (2G, 3G) are less prone to this issue, so it becomes less practical to jam and entire city.

Setting up picocells / femtocells can trick phones, but again, people who understand the protocols better than you or myself (the people who did this research) determined that this is les

Transmitting some random packets with the WiFi card.There are many things you can do on the low level link.

Certainly, when in some hotel there is the paywalled internet asking for like $20/day, it is possible to sniff the traffic, find some MAC address that paid, and pretend to be him/her. There is nothing that could be done to prevent such hacks. Not that I recommend doing this. Please don't do this, this is illegal. I am just saying this is possible.

The level of network knowledge in the general population is pretty low too, so its not like more than a small fraction of guests would even know where to begin. As such, the hotel has very little reason to worry about it, unless it causes a problem for the paying guest. (which I imagine this would? Never played with duplicate MACs on a wifi network)

Overall, I would imagine that, unless you do something that gets their attention (like stopping other guests access from working) they have little incentive to c

The problem is how to do it while keeping things easy for the users. At least the WPA enterprise setups i've seen have looked like a pain to configure on the client end (though that may have just been the unversity being too cheap to pay for certificates) and have the problem that you have no way of giving instructions before the user is connected. VPNs often require considerable setup too. Yes you could distribute a preconfigured VPN client but how many of your guests will want to install your software jus

When I was in college and wifi routers were just getting to the point where they were affordable enough for a regular person to buy, whole dorms would go out when people switched the WAN/LAN connections. Campus didn't have wireless yet, and the IT guys would get all upset and start going from room to room trying to find who had the mis-installed routers. Happened after every break.

Traditionally (depends on where you live) turning on the green throws a relay shorting the filament on the opposite green. So if you try two greens at once, it blows the fuse/circuit breaker, because fuses don't like short circuits. This is tricky and your timer needs at least a fraction of a second of dead time where its red all around.

Another fun way to wire it up, is 240v with 120 lamps, hot, to green light, to the red and yellow opposite, and from either red or yellow to neutral. This makes the midni

Huh? Sprint had the first 4G network with WiMax and is currently in the process of rolling out LTE. By the end of 2014 everywhere that currently has Sprint 3G service will have LTE coverage and most towers will have fiber backhauls which is significantly more ambitious than the big 2.

I do IT on yachts and heard a story of a yacht that had cell repeaters on board. The installation company had the power cranked all the way to 11 and knocked an entire coastal town's cell service out while they were in port. Vodafone politely asked them to turn that shit off.

At a wireless training session with one of our vendors they said that the US navy aircraft carriers jam all radio transmissions when they enter port. That sounds like a bit of a frustration.

They couldn't have. They used the satcommunication to coordinate their attacks. If they would have jammed it they wouldn't have been able to use it themselves. (Of course they were so awesome they should have had their own satellites, but that's suspension of disbelief)

You can jam radio frequency communications with a sufficiently powerful and/or noisy signal on the same frequency? Who would have thought? I realize that the article is more about LTE's weaknesses, but trying to play it off as some national security weakness is total fearmongering.
Even if LTE is inherently weak against jamming attacks (which is probably by design for the "authorities" to shut it off as they please), so what if one idiot can jam one cell site? (which is what the article really says if yo

And why the hell would first responders/emergency workers be using LTE for anything critical, anyway?

Actually, they ARE going to be using LTE for public safety. The next generation public safety network (which may be used for decades) is going to use LTE on the public safety bands. The whole point of this article was to raise awareness and add some jamming mitigation before it gets put into the public safety network.

I don't doubt that they are planning to use LTE for public safety, I just question why they would *want* to use LTE for public safety. It's super-fast, but that's where the benefits end from what I've seen. It seems to have mediocre propagation characteristics even at low frequencies, every LTE device I've ever seen will intermittently drop the connection then take a few minutes to restart it, and does indeed seem to have issues with interference in addition to questionable performance in situations with

I hate to say it but 4G for an emergency network is just a money sink. I hate to have a defeatist attitude but at least in my small new england town this would be a complete waste of time and money and effort. We have no unified dispatch system. All land line 911 calls go to police. If you want Fire or Ambulance it's transferred to the Fire department, who then transfers medical calls to the ambulance. If you call from a cell phone it goes to the state police regional office first, then to the local state police barracks, then to town police, etc. Police and fire are on separate frequencies. ICS is a joke and never implemented. EMA is run with all donated equipment and goodwill of Ham operators. Better than nothing? certainly but not by much. I put an IP camera onto their EMA vehicle, punched a hole in their firewall and the chiefs were able to view the scene and control the camera from the EOC. It took me 10 minutes but it was like the natives seeing an airplane. The average Police/fire/EMA chief is 50+ years old and typically holds a grease pencil, not an iPad.

Example, there was a mill fire in the neighboring city. Multiple towns responded. No ICS, no communication plan, everyone on one channel walking all over each other. There is no way any of these communities could implement, monitor or effectively use a 4G solution.

You're looking at it all wrong. Terrorists needn't go through the effort of attacking a military might at all. Just take down all communications in a city, and watch the mayhem.

Aside from huge inconvenience, and a whopping expense to resolve the problems, there's so much more. Businesses stop working. Security alarms stop working -- which doesn't matter because the traffic alone will stop any timely response. Here comes the looting, followed closely by the rioting.

It's not the end of the world, and it'll all get resolved in a day or two; but that's a day or two of mayhem, followed by a couple weeks of clean-up. And it all cost $500 to the terrorist -- which can just as easily be a local. Or worse, a local with an imported cellphone, who doesn't know that he's the one causing the mayhem.

Dude, you can't take down an entire city's communication network with a $500 box or a screwed-up handset. You could jam one cell site, at best. Probably only one sector of one cell site, though. On one carrier. Stop spreading this FUD and bullshit.

In the scenario described in TFA, landlines would still work, 2G would still work, 3G would still work, 4G LTE data might be down on one carrier (in the geographic area covered by one sector of one cell site), but the other carriers and every other sector o

2G, 3G, and landlines won't exist in five years.This article talks about police radios going to lte.No one has walkie talkies anymore.Multiple carriers roam on eachothers' networks, and share cell sites.One sector of one tower of one carrier is enough to cover an entire office building.Overlapping towers can quickly become over-saturated in the absense of a single one.

You're correct that it's all FUD. But not because it can't work exactly that way. Only because terrorists are monumentally stupid and can't